httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@attglobal.net>
Subject Re: [PATCH] Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Date Thu, 03 Oct 2002 16:40:55 GMT
Justin Erenkrantz <jerenkrantz@apache.org> writes:

> --On Thursday, October 3, 2002 11:37 AM -0400 Jeff Trawick
> <trawick@attglobal.net> wrote:
> 
> > I committed the patch as-is...  somebody with recent autoconf can play
> > with the quotes later :)
> 
> Actually, we can do better than this.
> 
> If you pass NI_NAMEREQD to getnameinfo(), it will return an error code
> of 8 (forget the symbolic code).

understood, but that only serves to make the output from the test
program more obvious

>                                 The bigger problem is that
> server/core.c:778 throws away the return code.  (Note that your test
> program doesn't pass that, but apr_getnameinfo does.)

Setting remote_host to "" is supposed to indicate a name lookup
failure, right?  and ap_get_remote_host() will return NULL in that
case...  the caller of that needs to do the right thing.

Is mod_authz_host::find_allowdeny() doing the right thing when
ap_get_remote_host() fails?  I guess it has to fail access since it
doesn't know whether or not the client is allowed or denied.

> We should be failing the lookups when we get an error back from
> getnameinfo().  Your test program modified to pass NI_NAMEREQD on
> Darwin:
> 
> % ./gni_mapped
> look up via IPv4: 0/www.ibm.com
> look up via IPv6: 8/not found
> 
> I'd rather we fixed that than disable IPv6 across the board on
> Darwin. That way, when it is fixed, we don't have to do anything.
> And, whenever we get an error from apr_getnameinfo(), we don't ignore
> it.  -- justin

AFAICT, if we don't disable IPv6 or somehow add a Darwin kludge around
the call to getnameinfo(), the call to getnameinfo() will still fail
and the access checks will still not work properly.  Nothing you
mention is going to make getnameinfo() work properly or work-around
the bug, so how are allow and deny going to work?

What have I missed?

-- 
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...

Mime
View raw message